<html>
<head><meta charset="utf-8"><title>OSV and `yanked` · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html">OSV and `yanked`</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="243024294"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243024294" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243024294">(Jun 17 2021 at 14:19)</a>:</h4>
<p>There is a bit of a mismatch between RustSec and OSV  data formats. RustSec only stores <code>yanked = true</code>, while OSV expects a timestamp as well (or at least a date).<br>
We cannot reliably obtain the yank time from git history; heuristics are possible but will not be 100% reliable.<br>
I see two ways to resolve this: either make the date on the OSV's equivalent of <code>yanked</code> optional, or add explicit withdrawal dates to RustSec format _and_ make them mandatory if <code>yanked = true</code>.</p>
<p>OSV's point of view is that the withdrawal date is an important part of the advisory lifecycle, and should be explicitly recorded. My point of view is that interaction with withdrawn advisories should be rare, and if anyone really cares they can look up the revision history in git. OSV also has a unified revision history planned, but is not implemented yet.</p>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> <span class="user-mention" data-user-id="132721">@Tony Arcieri</span> should we add a mandatory field for the yank date, or should I push for OSV making the yank timestamp optional?</p>



<a name="243052403"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243052403" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243052403">(Jun 17 2021 at 17:19)</a>:</h4>
<p>what term does OSV use? we can add another field with the date</p>



<a name="243052415"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243052415" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243052415">(Jun 17 2021 at 17:19)</a>:</h4>
<p>I know "withdrawn" is popular</p>



<a name="243052482"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243052482" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243052482">(Jun 17 2021 at 17:20)</a>:</h4>
<p>it seems "yanked" has confused a lot of people (i.e. does it mean the advisory is yanked, or the crate?)</p>



<a name="243060051"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243060051" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243060051">(Jun 17 2021 at 18:11)</a>:</h4>
<p>if we do that, we can lint for the presence of both, and then eventually phase <code>yanked</code> out</p>



<a name="243060132"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243060132" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243060132">(Jun 17 2021 at 18:12)</a>:</h4>
<p>I think this impacts like what... 2 advisories currently in the database?</p>



<a name="243067798"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243067798" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243067798">(Jun 17 2021 at 19:05)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> yeah they use <code>withdrawn</code>. So you'd prefer to add a date field to RustSec?</p>



<a name="243067875"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243067875" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243067875">(Jun 17 2021 at 19:06)</a>:</h4>
<p>yeah, just add a new <code>withdrawn</code> field and we can migrate to that</p>



<a name="243200307"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243200307" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243200307">(Jun 18 2021 at 19:34)</a>:</h4>
<p>OSV export is mostly feature-complete. I need to adjust the way modification timestamps are generated and introduce <code>withdrawn</code> field with a date into RustSec, but that's it feature-wise. A TODO list that I keep up to date can be found here: <a href="https://github.com/Shnatsel/rustsec/blob/osv/OSV-TODO.md">https://github.com/Shnatsel/rustsec/blob/osv/OSV-TODO.md</a></p>



<a name="243200330"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243200330" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243200330">(Jun 18 2021 at 19:34)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> OSV folks are looking to make an announcement blog post and would like to be able to point to the mainline RustSec advisory DB rather than a fork. Is it OK if I make <code>osv-experimental-v0.7</code> branch on the main repo and get the export job going on CI, with the code being pulled from my fork of <code>rustsec</code> repo for now?</p>



<a name="243200404"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243200404" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243200404">(Jun 18 2021 at 19:35)</a>:</h4>
<p>Or maybe I should migrate the code to a branch in the mainline <code>rustsec</code> repository <span aria-label="thinking" class="emoji emoji-1f914" role="img" title="thinking">:thinking:</span></p>



<a name="243200506"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243200506" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243200506">(Jun 18 2021 at 19:36)</a>:</h4>
<p>Can we just get this stuff properly merged before a public blog post? I think having a bunch of tools pointed at forks of the advisory DB is a bad idea -- there should just be one canonical advisory DB.</p>



<a name="243200979"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243200979" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243200979">(Jun 18 2021 at 19:42)</a>:</h4>
<p>There is kind of a chicken-and-egg problem: they want to announce the effort and get feedback on a specific working thing before they freeze the format. But merging and publishing an unstable format would probably incur needless semver bumps of the rustsec crate.</p>



<a name="243201014"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243201014" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243201014">(Jun 18 2021 at 19:43)</a>:</h4>
<p>But yeah, getting everything at least in the official repositories if not the mainline branch sounds like a good idea!</p>



<a name="243201180"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243201180" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243201180">(Jun 18 2021 at 19:45)</a>:</h4>
<p>Using a fork of other repos seems ok, but why does it requires a fork of the advisory DB? just for the withdrawn field, right? I think we can make that improvement regardless of what else OSV needs.</p>



<a name="243201245"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243201245" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243201245">(Jun 18 2021 at 19:46)</a>:</h4>
<p>Oh, I've just been pushing to a fork of the advisory-db repo so that I definitely don't break anything in production. All OSV stuff goes into a separate branch anyway, the main branch is untouched.</p>



<a name="243201326"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243201326" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243201326">(Jun 18 2021 at 19:46)</a>:</h4>
<p><a href="https://github.com/Shnatsel/advisory-db/tree/osv">https://github.com/Shnatsel/advisory-db/tree/osv</a> this is what it looks like today</p>



<a name="243201393"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243201393" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243201393">(Jun 18 2021 at 19:47)</a>:</h4>
<p>I'm always reading from the mainline advisory DB, not monkey-patching it in any way.</p>



<a name="243202149"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243202149" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243202149">(Jun 18 2021 at 19:56)</a>:</h4>
<p>I don't think I can overstate how busy I am today</p>



<a name="243202154"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243202154" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243202154">(Jun 18 2021 at 19:56)</a>:</h4>
<p>I can respond tomorrow</p>



<a name="243202223"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243202223" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243202223">(Jun 18 2021 at 19:57)</a>:</h4>
<p>Sure, no rush</p>



<a name="243202268"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243202268" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243202268">(Jun 18 2021 at 19:58)</a>:</h4>
<p>No need for tomorrow, Monday is fine, later is OK too</p>



<a name="243203005"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/OSV%20and%20%60yanked%60/near/243203005" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/OSV.20and.20.60yanked.60.html#243203005">(Jun 18 2021 at 20:05)</a>:</h4>
<p>I'd much rather delay this thing than burn your out, Tony.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>